The vulnerability, a buffer overflow that could allow an attacker to remotely execute arbitrary code on or crash an impacted system, was disclosed by David Thiel, a senior security researcher at iSec Partners, at the annual Black Hat conference in early August. It impacts iTunes 7.3.2.
Thiel told SCMagazineUS.com that he discovered the buffer overflow during an independent examination of security vulnerabilities in a variety of media software applications, including commercial and open-source products. He found what he called a "heap overflow" that impacted the display of album covers of songs to be played by iTunes.
A specially crafted file could take advantage of the overflow to inject malicious code into the buffer, rather than code pointing to the album cover, he said. The "payload" could be a keylogger, a botnet client or other software designed to steal personal information "or just destroy the machine," he added.
At particular risk are iTunes users who download music from non-commercial sites or import them from friends, Don Leatham, director of solutions and strategies at Lumension Security (formerly PatchLink), told SCMagazineUS.com. Music files from those types of sources are more likely to contain vulnerabilities than those from widely visited commercial sites, he noted.
While calling this a "critical" vulnerability, Thiel admitted that "there is some limit to the damage this can do." Windows XP users with "admin" rights are more at risk than those with limited-rights accounts.
Apple released iTunes 7.4, available here, this week to fix the buffer overflow vulnerability impacting several versions (Mac OS X v10.3.9, Mac OS X v10.4.7 and later) as well as Windows XP and Vista. In addition to plugging the vulnerability, this update allows iTunes users to download music via Wi-Fi and download music playing at Starbucks. It also gives users the ability to rate videos and view closed-captioned videos.